A few weeks ago, the Wall Street Journal ran a story about a laundromat in Carbondale, Colorado that was infected with the Mirai internet virus. Unbeknownst to the business owner, an internet-connected video recorder had been infected and was scanning the web for places to spread itself. The only sign that something was amiss was the fact that the device was regularly acting up — disconnecting the remote viewing app and forcing the owner to reconnect it by restarting the digital video recorder.
While the story didn’t reveal any new developments, it does serve as an important reminder that malware continues to flourish in places we don’t typically expect to find it.
We all have Internet-connected devices that sometimes act strangely, but outside our phones and laptops, most people don’t even think of these mishaps as cybersecurity threats at work. But in our new IoT paradigm, that’s exactly what could be occurring. Our routers, digital cameras and DVRs are now as susceptible to attack as anything. And as we see millions of additional devices make their way into the market in the next few years, this problem is set to grow exponentially.
That sounds hyperbolic, but according to security researcher Steve McGregory who was interviewed in the WSJ article, “Within nine seconds of turning on, [machines that are poorly secured] get hit.” Nine seconds.
Passwords: The Weak Link Once Again
More than anything, this is yet another example of why the traditional password is so painfully obsolete. Many manufacturers ship these devices with common and simple passwords like “123456” and assume the user will reset that password to something more secure. I think we all know how that goes. But in fairness to the user, it’s just not reasonable to expect anybody to keep up with the number of passwords they need today, much less what they’re going to need tomorrow.
We are headed blazingly fast down a path where tens of billions of IoT devices will be connected to the Internet by the end of the decade. If password security isn’t done right, and security best practices are not implemented with real conviction, it could have a destructive impact on the infrastructure we can’t even begin to fathom. If passwords weren’t a problem already — and they are — the trend towards IoT is set to amplify it by orders of magnitude.
We are seeing some movement in the right direction: some router manufacturers have started shipping their devices with individualized passwords. That a good start, but device manufactures, vendors and end users will have to work together to solve these issues.
We need to begin by understanding that these devices can be hacked, that they require regular updating, that they need strong, regularly changed passwords and that they are a potential pathway into a corporate or home network. Furthermore, devices that are deployed and managed within an enterprise need additional controls, akin to mobile device management (MDM) and single-sign (SSO), to be exposed by the device manufacturers. We’re all responsible for ensuring the safety of the internet in the years to come. Let’s accept that responsibility and design a carefully thought out, secure path forward.
In our eBook, Level up Your Security, to learn why passwords are no longer acceptable in today’s cybersecurity landscape.